Troubleshoot Proxy SSO
You can view the HTTP request headers that proxy server sends to Splunk Web on the below endpoint after you set enableWebDebug=true in web.conf under settings stanza:
http://<ProxyServerIP>:<ProxyServerPort>/debug/sso
This endpoint will help to verify some of the common configuration or setup errors:
- Incoming request IP matches the configured value of
trustedIP - Ensure header attribute names set on proxy server are same as those configured on Splunk
- Make sure group entries are sent and parsed correctly. Especially, when
remoteGroupsQuoted = trueis set. You can see how groups are parsed by addingcategory.UiAuth=DEBUGinetc/log.cfgundersplunkdstanza.
Once this is verified, check the following configuration:
- Groups parsed have mapping in
roleMap_proxySSO - In some cases, user cannot log in because either the user or their roles are on an exclusion list. Check excludedobjects under the stanza named after value of
authSettings
These kind of login events are logged in var/log/splunkd.log along with the reason for failure.
| Configure ProxySSO | About single sign-on using reverse proxy |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.3.0
Download manual
Feedback submitted, thanks!